Overview

overview

10

Static

static

3

JaffaCakes...50.exe

windows7-x64

10

JaffaCakes...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-01-2025 09:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_6406508dd1a356c55c6cd0ee11d7b850.exe

  • Size

    263KB

  • MD5

    6406508dd1a356c55c6cd0ee11d7b850

  • SHA1

    3e22a13f956580132356da7fe3a34244ad50d51c

  • SHA256

    23e4591f4c3ee0f420d57d765dee75477500acb7b299610ebe7f30335e142fba

  • SHA512

    c7fb881cbb3916c218272a79152b2c033ee553f68a4aa6e31cd19ecb382e82c60c9441238ca435d1ce7d3c80ec07e11040a440a6392d58fc331a7a818bffbf94

  • SSDEEP

    6144:xKcU7oQvrYYmb8d5pOqAgi192SFzkz/dH4SUtj6khsA3gK:xK37o6rY9eYqAD19XFQzFHItj6khv3gK

Score
10/10
modiloaderdiscoveryevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 31 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Disables use of System Restore points 1 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6406508dd1a356c55c6cd0ee11d7b850.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6406508dd1a356c55c6cd0ee11d7b850.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Windows\SysWOW64\svchost.exe
      "svchost.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Adds policy Run key to start application
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Deletes itself
      • Adds Run key to start application
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4284
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2080
      • C:\Windows\SysWOW64\explorer.exe
        "explorer.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4768
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\{33311350-8328-981b-bb14-f626089db9c3}\{33311350-8328-981b-bb14-f626089db9c3}.exe
    Filesize

    263KB

    MD5

    6406508dd1a356c55c6cd0ee11d7b850

    SHA1

    3e22a13f956580132356da7fe3a34244ad50d51c

    SHA256

    23e4591f4c3ee0f420d57d765dee75477500acb7b299610ebe7f30335e142fba

    SHA512

    c7fb881cbb3916c218272a79152b2c033ee553f68a4aa6e31cd19ecb382e82c60c9441238ca435d1ce7d3c80ec07e11040a440a6392d58fc331a7a818bffbf94

    Download Submit

  • memory/1124-10-0x00000000006E0000-0x000000000071F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1124-1-0x00000000006E0000-0x000000000071F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1124-4-0x0000000000401000-0x0000000000409000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1124-3-0x0000000000750000-0x0000000000751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1124-11-0x0000000000401000-0x0000000000409000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1124-0-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1124-9-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1124-2-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2080-18-0x00000000000D0000-0x00000000000DE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2080-21-0x0000000000650000-0x000000000071E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/2080-24-0x0000000000650000-0x000000000071E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/2080-20-0x00000000000D0000-0x00000000000DE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2080-23-0x0000000000650000-0x000000000071E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/2080-22-0x0000000000650000-0x000000000071E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/3324-97-0x00000000034C0000-0x00000000034E6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3324-95-0x00000000034C0000-0x00000000034E6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3324-92-0x00000000034C0000-0x00000000034E6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3324-89-0x0000000000E00000-0x0000000000ECE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/3324-91-0x00000000034C0000-0x00000000034E6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3324-90-0x0000000000E00000-0x0000000000ECE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/3324-88-0x0000000000E00000-0x0000000000ECE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/3324-87-0x0000000000E00000-0x0000000000ECE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/3324-86-0x00000000000D0000-0x00000000000DE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3324-96-0x00000000034C0000-0x00000000034E6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3324-85-0x00000000000D0000-0x00000000000DE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4284-26-0x0000000000430000-0x00000000004FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4284-42-0x0000000000430000-0x00000000004FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4284-5-0x00000000000D0000-0x00000000000DE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4284-8-0x00000000000D0000-0x00000000000DE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4284-14-0x0000000000430000-0x00000000004FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4284-12-0x0000000000430000-0x00000000004FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4284-44-0x0000000000430000-0x00000000004FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4284-46-0x0000000000430000-0x00000000004FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4284-13-0x0000000000430000-0x00000000004FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4284-45-0x0000000000430000-0x00000000004FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4284-43-0x0000000000430000-0x00000000004FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4284-17-0x0000000000430000-0x00000000004FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4284-47-0x0000000000430000-0x00000000004FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4284-25-0x0000000000430000-0x00000000004FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4284-29-0x0000000000430000-0x00000000004FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4284-30-0x0000000000430000-0x00000000004FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4284-27-0x0000000000430000-0x00000000004FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4284-28-0x0000000000430000-0x00000000004FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4768-33-0x00000000006B0000-0x0000000000AE3000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/4768-31-0x00000000006B0000-0x0000000000AE3000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/4768-37-0x0000000000AF0000-0x0000000000BBE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4768-35-0x0000000000AF0000-0x0000000000BBE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4768-36-0x0000000000AF0000-0x0000000000BBE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4768-34-0x0000000000AF0000-0x0000000000BBE000-memory.dmp

    Filesize

    824KB

    Download